CVE-2022-41723
published 2023-02-28CVE-2022-41723: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
4.56%
90.4th percentile
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 0 < 2.0.11-0ubuntu1~16.04.4+esm2 | 2.0.11-0ubuntu1~16.04.4+esm2 |
| canonical | lxd | >= 0 < 3.0.3-0ubuntu1~18.04.2+esm2 | 3.0.3-0ubuntu1~18.04.2+esm2 |
| debian | golang-1.15 | < golang-1.19 1.19.6-2 (bookworm) | golang-1.19 1.19.6-2 (bookworm) |
| debian | golang-1.19 | < golang-1.19 1.19.6-2 (bookworm) | golang-1.19 1.19.6-2 (bookworm) |
| debian | golang-golang-x-net | < golang-1.19 1.19.6-2 (bookworm) | golang-1.19 1.19.6-2 (bookworm) |
| golang.org | x_net | >= 0 < 0.7.0 | 0.7.0 |
| golang | go | < 1.19.6 | 1.19.6 |
| golang | go | — | — |
| golang | hpack | < 0.7.0 | 0.7.0 |
| golang | http2 | < 0.7.0 | 0.7.0 |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.2-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.2-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubevirt_0.59.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubevirt_1.2.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ADSys, Juju Core, LXD vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 7.5
CVE-2023-3978 [HIGH] ADSys, Juju Core, LXD vulnerabilities
Title: ADSys, Juju Core, LXD vulnerabilities
Summary: Several security issues were fixed in ADSys, Juju Core, LXD
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a de
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-31·CVSS 7.5
CVE-2025-47911 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. T
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking.
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker coul
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2024-24791 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly
Red Hat
etcd: Incomplete fix for CVE-2022-41723 in OpenStack Platform
vendor_redhat·2024-05-06·CVSS 7.5
CVE-2024-4436 [HIGH] CWE-400 etcd: Incomplete fix for CVE-2022-41723 in OpenStack Platform
etcd: Incomplete fix for CVE-2022-41723 in OpenStack Platform
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Statement: The Red Hat OpenStack 17.1 is not affe
CISA ICS
Siemens SCALANCE XCM-/XRM-300
cisa_ics·2024-02-15
Siemens SCALANCE XCM-/XRM-300
ICS Advisory
##
Siemens SCALANCE XCM-/XRM-300
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE XCM-/XRM-300
- Vulnerabilities: Out-of-bounds Write, Incorrect Type Conversion or Cast, Improper Verification of Cryptographic Signature, Improper Access Control, Improper Authentication, Missing Encryption
Red Hat
golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
vendor_redhat·2023-02-17·CVSS 7.5
CVE-2022-41723 [HIGH] CWE-400 golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.
Statement: Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.
Package: custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 (Custom Metric Autoscaler operato
Microsoft
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
vendor_msrc·2023-02-14·CVSS 7.5
CVE-2022-41723 [HIGH] Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference
Debian
CVE-2022-41723: golang-1.15 - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the...
vendor_debian·2022·CVSS 7.5
CVE-2022-41723 [HIGH] CVE-2022-41723: golang-1.15 - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the...
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Scope: local
bullseye: open
OSV
adsys, juju-core, lxd vulnerabilities
osv·2026-04-07·CVSS 7.5
[HIGH] adsys, juju-core, lxd vulnerabilities
adsys, juju-core, lxd vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net-dev vulnerabilities
osv·2026-03-31·CVSS 7.5
[HIGH] golang-golang-x-net-dev vulnerabilities
golang-golang-x-net-dev vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] golang-golang-x-net vulnerabilities
golang-golang-x-net vulnerabilities
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker could possibly use this to execute
arbitrary code. This issue only a
OSV
golang-1.17 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly use this issue to consume an excessive
amount of
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
GHSA
GHSA-qghw-hwm7-fw74: The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723
ghsa_unreviewed·2024-05-08·CVSS 7.5
CVE-2024-4436 [HIGH] CWE-400 GHSA-qghw-hwm7-fw74: The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
OSV
CVE-2022-41723: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small n
osv·2023-02-28·CVSS 7.5
CVE-2022-41723 [HIGH] CVE-2022-41723: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small n
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
GHSA
golang.org/x/net vulnerable to Uncontrolled Resource Consumption
ghsa·2023-02-17
CVE-2022-41723 [HIGH] CWE-400 golang.org/x/net vulnerable to Uncontrolled Resource Consumption
golang.org/x/net vulnerable to Uncontrolled Resource Consumption
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
OSV
golang.org/x/net vulnerable to Uncontrolled Resource Consumption
osv·2023-02-17
CVE-2022-41723 [HIGH] golang.org/x/net vulnerable to Uncontrolled Resource Consumption
golang.org/x/net vulnerable to Uncontrolled Resource Consumption
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
OSV
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
osv·2023-02-16
CVE-2022-41723 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
No detection rules found.
No public exploits indexed.
https://go.dev/cl/468135https://go.dev/cl/468295https://go.dev/issue/57855https://groups.google.com/g/golang-announce/c/V0aBFqaFs_Ehttps://lists.fedoraproject.org/archives/list/[email protected]/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/https://lists.fedoraproject.org/archives/list/[email protected]/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/https://lists.fedoraproject.org/archives/list/[email protected]/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/https://lists.fedoraproject.org/archives/list/[email protected]/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/https://lists.fedoraproject.org/archives/list/[email protected]/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/https://lists.fedoraproject.org/archives/list/[email protected]/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/https://lists.fedoraproject.org/archives/list/[email protected]/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/https://pkg.go.dev/vuln/GO-2023-1571https://security.gentoo.org/glsa/202311-09https://www.couchbase.com/alerts/https://go.dev/cl/468135https://go.dev/cl/468295https://go.dev/issue/57855https://groups.google.com/g/golang-announce/c/V0aBFqaFs_Ehttps://lists.fedoraproject.org/archives/list/[email protected]/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/https://lists.fedoraproject.org/archives/list/[email protected]/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/https://lists.fedoraproject.org/archives/list/[email protected]/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/https://lists.fedoraproject.org/archives/list/[email protected]/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/https://lists.fedoraproject.org/archives/list/[email protected]/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/https://lists.fedoraproject.org/archives/list/[email protected]/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/https://lists.fedoraproject.org/archives/list/[email protected]/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/https://pkg.go.dev/vuln/GO-2023-1571https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20230331-0010/https://www.couchbase.com/alerts/
2023-02-28
Published